May 17, 2024 at 12:09PM
The Ebury botnet, operating for 15 years, has compromised numerous servers, targeting universities, enterprises, and cryptocurrency traders. It employs tactics to steal credentials, intercept SSH traffic, and pivot towards credit card and cryptocurrency theft. Despite the imprisonment of a key perpetrator, Ebury’s operators remain active and pose ongoing challenges for system administrators. ESET has released tools to help detect and remediate Ebury infections.
Key takeaways from the meeting notes:
– The Ebury botnet, active for 15 years, has compromised nearly 400,000 Linux, FreeBSD, and OpenBSD servers, with over 100,000 still affected.
– The botnet targets various entities including universities, enterprises, Internet service providers, and cryptocurrency traders for activities such as spam distribution, web traffic redirection, and credential theft.
– The botnet operators have shifted focus to credit card and cryptocurrency theft, using SSH traffic interception to redirect traffic to their control server and automatically steal cryptocurrency wallets.
– The botnet employs zero-day vulnerabilities and known passwords to hack servers at scale, and it has compromised a significant number of hosting provider servers.
– In the past, the botnet successfully hacked Kernel.org, resulting in the theft of half of its developer SSH passwords.
– One of the key perpetrators, Maxim Senak, was arrested in 2015 and sentenced to prison, while the remaining masterminds have maintained a low profile.
– Law enforcement investigations and efforts by ESET continue to combat the botnet’s activities.
– ESET has released detection and remediation tools to help system administrators identify and address Ebury infections, which are complex to clean up, with the potential for reinstallation if compromised credentials are reused.